EVALUATING A GOVERNMENT’S INTERNAL CONTROLS AND …
Download
Report
Transcript EVALUATING A GOVERNMENT’S INTERNAL CONTROLS AND …
Evaluating A
Government’s Internal
Controls and a Review of
How Fraud Relates to
Internal Controls
Presented By
Paul E. Glick
Glick Consulting Group
Email [email protected]
THE AGENDA
Introduction and Overview
What Are Internal Controls
Management’s Objectives and
Responsibilities
Who Is Responsible for Internal Controls?
What Types of Public Sector Fraud Exists?
The Agenda
Where is the Independent Auditor?
Internal Control Environment
Risk Assessment
Control Activities
Information and Communication (Step 4)
Monitoring
The Agenda
Evaluation Controls Over Accounting And
Financial Reporting
Other Internal Control Pitfalls
Seminar Objectives
Review The Framework And Concepts Of
Internal Controls
Relate These Concepts To Financial
Cycles (I.E., The Real World)
Understand Who Might Be “Ripping Us
Off”
Factors Affecting our Current
Environment
Factors Affecting our Current
Environment
Global financial crisis
Uncertainty in unexpected places
(Municipal Bond Ratings)
Increased regulation and oversight (Tax
Reform, ARRA) leading to diminished
control over revenues
Smaller staff due to budget cuts
Factors Affecting our Current
Environment
Trends in the Audit Community
SAS 115 (documentation of internal
controls and communication with those
in governance)
Risk Assessments
Fraud Risks
Oversight at
Transparency
COSO
the Federal Level
Factors Affecting our Current
Environment
Governments
are being
asked to do more with less
Money
and human
resources
The Nature of Fraud Industry
Fraud Can Be Explained By Three Key
Factors:
A Supply Of Motivated Offenders
The Availability Of Suitable Targets
The Absence Of Capable Guardians Or A Control
System To “Mind The Store”
The Nature of Fraud Industry
The Opportunity To Commit & Conceal
Fraud Is The Only Element Over Which You
Have Significant Control.
What Are Some Of The Warning Signs?
What Can We Do About It?
A Survey Of Folks Regarding
Fraud
31% of All Americans are Dishonest
Another 40% are Situationally Honest (i.e., they will be
honest if it pays to be honest and dishonest if it pays to be
dishonest)
$200 Billion Employee Fraud Cost per Year Compared to
$11 Billion from Violent Crime
In Banks, 95% of Losses are from Employees and 5% are
Caused by Bank Robberies
In Retail, 70% of Losses are from Employees and 5% are
Caused by Shoplifters and Customers
Fraud and Abuse in The U.S.
U.S. Cost About $990 Billion A Year
Government And Public Administration Have A Median Loss
Of $93,000 Per Fraud Scheme
Average Organization Loses 7% Of Revenue
12% Of Cases In A Study Were Frauds That Occurred In
Government
Street Crime Only Costs The U.S. $4 Billion Annually
The Facts
Fraud Schemes Frequently Continue For Years Before They
Are Detected
The Typical Fraud In The Study Lasted 2 Years From The
Time It Began Until It Was Discovered
Frauds Are Much More Likely To Be Detected By A Tip Than
By Audits, Controls Or Any Other Means
Lack Of Adequate Internal Controls Was Most Commonly
Cited As The Factor That Allowed Fraud To Occur
Occupational Fraudsters Are Generally First-time Offenders
What Is Fraud?
It’s When Folks Are Ripping Off The
Government In Lots Of Different Ways
Fraud Is Like A Four Letter Word
Just Ignore It And It Will Go Away
It Will Never Happen To Us
Common Myths About Fraud
Most Folks Will Not Commit Fraud
Fraud Is Not Material
Most Fraud Goes Undetected
Fraud Is Well Concealed
Prosecuting Will Deter Others
Potential Cost Of Fraud
Lose The Confidence In The Government
Loss To The Reputation Of Innocent Third
Parties (I.E., The Remaining Staff)
Cost To The Perpetrator
The Public Loss
Potential Cost Of Fraud
Diversion Of Public Resources From Intended
Purpose
Loss Of Money, Assets And Time
Embarrassment, Guilt, Humiliation And Shame
Subsequent Management Decisions Are
Reviewed Under A Microscope
Any Investigation Turns The Government Or
Agency Inside Out
Personal Rip Offs For Glick
Send Banking Information
Bank of America
Wachovia Bank
TCF Bank
HSBC Bank
Catawba Valley Bank
Regions Bank
Bank of the West
Washington Mutual
Bank Financial
Huntington Bank
Smith Barney
Personal Rip Offs For Glick
Frank Senger - $20.5 Million
Chief Adeniran Aderogba - $10 Million
Dr Sikas Usman - 30% of $45.8 Million
Dr.Ahmed Kassim - $10.5 Million
Miss Caroline Williams – 30% Of $16.5 Million
Mr Jack Chow – No Amount
Jim Mcconville - $20 Million British Pounds
Personal Rip Offs For Glick
Richard H Mason – 10% On All Payments Made
Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds
(Twice)
Mr. Mark Johnson – Lottery - $2.5 Million British Pounds
Mr.Carlos Moreno – 50% Of $34.5 Million
Miss Joyce Awuse - $5.5 Million
Irs - $109.30
Dr Dansuki Dan - $25.5 Million
Session 2
What Are Internal
Controls
What Are Internal Controls?
To put it simply, internal controls are an exercise
of common sense. You are practicing good
internal controls when you?
Balance your checkbook
Keep your ATM/debit card pin number separate from your
card
Keep copies of your tax return
Compare your monthly credit card statement to the credit
card receipts
Lock your car doors
What Are Internal Controls?
Internal Control Is A Process, Affected By
Management And Other Personnel, Designed To
Provide Reasonable Assurance Regarding The
Achievement Of Objectives In The Following
Categories:
Effectiveness And Efficiency Of Operations
Reliability Of Financial Reporting
Compliance With Laws And Regulations
What Are Internal Controls?
Internal Control Consists Of Five
Interrelated Components That Affect
Each Of The Three Categories
What Are Internal Controls?
Internal control is a process. It is a
means to an end, not an end itself.
Internal control is effected by people.
It’s not merely policy manuals and
forms, but people functioning at
every level of the institution.
Limitations on Internal Controls
Considerations Of Costs Will Prevent
Management From Ever Installing A
“Perfect System”
Controls Are Potentially Subject To
“Management Override”
Risk Of Collusion
Applying the COSO
Framework
Committee of Sponsoring
Organizations of the Treadway
Commission
www.coso.org
Who Are The Organizations
American Accounting Association
American Institute of Certified Public
Accountants
Financial Executives International
Institute of Management Accountants
The Institute of Internal Auditors
COSO Internal Control –
Integrated Framework
Established A Common Definition Of
Internal Control
Provides A Standard Against Which A
Government Can Assess Their Control
Systems And Determine How To
Make Improvements
Internal Control Components
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Internal Control Components
Internal Control Components
Interact With:
Operations
Financial Reporting
Compliance
Evaluating Internal Controls
Often, Evaluations Are Piecemeal
Approaches To The Task
Internal Controls Are Not Isolated
And Are Related To One Another
Internal Controls Are Actually:
A Coordinated Set Of Policies And
Procedures That Reflect A
Comprehensive Strategy For
Achieving Management’s Objectives
Assessing The Internal
Control Framework
Provides A Favorable Control Environment.
Continually Assesses Risk.
Establishes And Maintains Effective
Control- Related Policies And Procedures.
Effectively Communicates Information.
Monitors The Effectiveness Of Control
Policies And Procedures And The
Resolution Of Potential Problems
Identified By Controls.
A Basic Rule
More Is Not Better
The Cost Of Excessive Or Redundant
Controls Could Exceed The Benefits
Employees May View Controls As
Unnecessary “Red Tape”
Why Are Internal Controls So
Important?
Because The Prevention Of Fraud Is
Critical And Costs Are High
Session 3
MANAGEMENT’S OBJECTIVES AND
RESPONSIBILITIES
MANAGEMENT’S RESPONSIBILITIES
AND THE INTERNAL CONTROL
FRAMEWORK
EFFECTIVENESS
EFFICIENCY
COMPLIANCE
FINANCIAL REPORTING
EFFECTIVENESS
DETERMINES WHETHER THE GOVERNMENT AND ITS
DEPARTMENTS ARE MEETING THEIR OBJECTIVES
GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY
PROCESS
FOCUSES ON RESULTS RATHER THAN EFFORTS
INCLUDE OUTPUTS - HOW MUCH OF GOODS AND
SERVICES ARE PROVIDED
INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS
OR SERVICES TO BE PROVIDED
EFFICIENCY
MAKING OPTIMAL USE OF THE
RESOURCES MADE AVAILABLE
OBTAINING DESIRED RESULTS
WITH THE LEAST EXPENDITURE OF
RESOURCES
MEASURES COSTS (I.E., EFFORT) TO
RESULTS (I.E., EFFECTIVENESS)
COMPLIANCE
ANNUAL APPROPRIATED BUDGET
GRANTOR REQUIREMENTS
STATE OVERSIGHT REQUIREMENTS
IRS REQUIREMENTS
BOND COVENANTS
LOCAL LAWS AND REGULATIONS
FINANCIAL REPORTING
INTERNAL FINANCIAL REPORTING
EXTERNAL FINANCIAL REPORTING
- SPECIAL PURPOSE
- GENERAL PURPOSE
- CAFR
Session 4
Who Is Responsible
For Internal Controls?
Who is Responsible for Internal
Controls?
Everyone has a part in the internal
control system.
The roles vary depending upon what
level of responsibility and the nature
of involvement by the individual.
Who is Responsible for Internal
Controls?
Managers and supervisors are
responsible for ensuring that internal
controls are established and
functioning to achieve the mission
and objectives of their unit.
Each employee within an area should
be made aware of proper internal
control procedures associated with
their specific job function.
Is This Just A Problem For The Finance
Office?
Most Folks Think This Is Finance’s
Problem
But Not Really
However, We Are Emphasizing the
Finance Department In This Seminar
Management’s Responsibilities And
The Internal Control Framework
Any Entity, Be It A Government, A
Business Or A Nonprofit
Organization, Exists To Achieve Some
Purpose
It Is The Role Of Management To
Provide The Leadership Needed For
An Entity To Realize That Purpose
Management’s Responsibilities And
The Internal Control Framework
Furthermore, Management Is Not
Free Simply To Act In Any Way It
Might Choose To Achieve The Entity's
Goals
Management's Options And Actions
Are Circumscribed By Constraints
And Expectations, Both Implicit And
Explicit.
Responsibility For Internal
Controls
Management Is Primarily
Responsible For The Effectiveness Of
Internal Controls, Like Any Other
Aspects of Performance
A Side Note - Authority And
Responsibility Should Not Be
Separated
Responsibility For Internal
Controls
Management Is Subject To Oversight By
The Government’s Elected Officials
The Governing Body Is Ultimately
Responsible
Internal And External Auditors Can Assist
Management
Responsibility For Internal
Controls
This Stuff Is Not Something Different From
Your Basic Responsibilities As Leaders And
As Fiduciaries
Basic Management
Responsibilities
Achieving The Government’s Purpose
(Effectiveness)
Making Optional Use Of Scarce Resources
(Efficiency)
Observing Restrictions On The Use Of
Resources (Compliance)
Periodically Demonstrating Accountability
For Stewardship Of Resources Place In The
Care (Reporting)
Session 5
What Types of Public
Sector Fraud Exists
Profile of Fraud Perpetrator
Male Or Female (White Males Over 60?)
No Prior Criminal History (<8%)
Well Liked By Co-workers
Likes To Give Gifts/Compulsive Shopper
Gambling Problems Not Unusual
Long-term Employee
Rationalizes: Starts Small Or “Borrows”
Lifestyle Clues
General Observations Of A Fraudster
Male
Intelligent (Bored With The Job Routine)
Egotistical (Scornful Of Obvious Control Flaws)
Inquisitive (E.G., Tempted By The Discovery Of A
Computer Vulnerability)
A Risk Taker
A Rule Breaker
A Hard Worker
Under Stress
Disgruntled At Work
The Fraud Triangle
Perceived Opportunity
To Commit Fraud
Perceived Pressure
Facing Individual
Exacerbated
in Economic
Downturn
Person’s Rationalization
Or Integrity
Conditions Present When
Fraud Occurs
Incentive/Pressure
Opportunity
Attitude and Rationalization
Causes Of Fraud
Character And Personality
– Financial Stress
-- Addiction
-- Disaffection
-- Pathologies
Perceived Opportunity
- Permits Fraud
- Promotes Fraud
Why Folks Commit Fraud
Grumpy Gus
Stressed Sally
Pill poppin’ Paula
Never goes
home Ned
Why Folks Commit Fraud
Extravagant Ellen
Over-spent Ollie
Lotto Larry
Compulsive Connie
Who Commits Fraud?
Fraud Losses Caused By Managers And
Executives Were 16 Times Greater Than
Those Caused By Non-managerial
Employees.
Losses Caused By Men Were Four Times
More Those Caused By Women.
Those 60 And Older Were 28 Times Those
Caused By Perpetrators 25 Or Younger.
Generally, What is the Goal of A
Fraudster?
Cash, Cash, Cash
Types Of Public Sector Fraud
Receipts Fraud
Disbursements Fraud
Assets Fraud
Cash Schemes
Stealing Cash Funds Processed Or On
Hand
Not Recording & Stealing The Cash
Receipts
Under Ringing & Stealing The
Difference In Cash Receipts
Altering Bank Deposits
Receipts Fraud
Lapping – Too Much Work!
Kiting – Bank Deposit Schemes
Granting Bogus Credit Memos
Forging Check Received
Receipts Fraud
Duplicate Payments
Charge Off Fraud – Bogus Write-offs
Disposal Fraud
Credit Card Manipulation
Disbursements Fraud
Personal Bills
Bid Rigging
False Claims (Fictitious Suppliers,
Kickbacks)
Conflict of Interest
Disbursements Fraud
Travel Claim Fraud
Procurement and Credit Cards
Payroll and Benefits Fraud
Ghost Employees
Unclaimed Payroll Checks
Excess Payroll Payments (Falsifying Time
Cards)
Withholdings and W-2’s
Vacation and Sick Pay
Theft Of Assets Fraud
Petty Cash Fraud
Cash Register Theft
Consumable Inventory Theft
Capital Asset Theft
Using Assets For Personal Use
Red Flags
A Red Flag Is:
A Set Of Circumstances That Are Unusual In
Nature Or Vary From The Normal Activity.
A Signal That Something Is Out Of The
Ordinary And May Need To Be Investigated
Further.
Not About Guilt Or Innocence But Merely
Provides Possible Warning Signs Of Fraud.
Red Flags
Do Not Ignore A Red Flag–studies Of Fraud Cases
Consistently Show That Red Flags Were Present,
But Were Either Not Recognized Or Were
Recognized But Not Acted Upon By Anyone.
Sometimes An Error Is Just An Error–red Flags
Should Lead To Some Kind Of Appropriate Action,
I.E. An Investigation By A Measured &
Responsible Person, But Sometimes An Error Is
Just An Error And No Fraud Exists
Employee Red Flags
Employee Lifestyle Changes
High Employee Turnover
Significant Personal Debt And Credit Problems
Refusal To Take Vacation Or Sick Leave
Behavioral Changes
Lack Of Segregation Of Duties In A High-risk
(Vulnerable) Area
Employee Red Flags
Reluctance To Provide Information To Auditors
Photocopied Or Missing Documents
Weak Internal Control Environment
Unexpected Overdrafts Or Declines In Cash
Balances
Decisions Dominated By An Individual Or Small
Group
Employee Red Flags
Excessive Number Of Year-end Transactions
Management Displays Significant Disrespect For
Regulatory Bodies
Excessive Number Of Or Frequent Changes In
Checking Accounts
Accounting Personnel Are Lax Or Inexperienced
Employee Red Flags
High Employee Turnover Rate
Compensation Is Out Of Proportion
Decentralization Without Adequate Monitoring
Frequent Changes In External Auditors
Red Flags in Cash
Excessive Number Of Voids
Presence Of Personal Checks In Petty Cash
Unauthorized Bank Accounts
Excessive Or Unjustified Cash Transactions
Large Number Of Account Write-offs
Sudden Activity In A Dormant Account
Red Flags in Payroll
Inconsistent Overtime Hours For A Cost Center /
Department
Overtime Charged During A Slack Period
Overtime Charges For Employees Who Normally Would Not
Have Overtime Wages
Budget Variations For Payroll By Cost Center / Department
Employees With Duplicate Social Security Numbers, Names,
And Addresses
Employees With Few Or No Payroll Deductions
Red Flags in Procurement
Increasing Number Of Complaints About Services
Vendors Without Physical Address
Lack Of Physical Security Over Assets / Inventory
Payments To Vendors Not Included On An Approved Vendor
List
Vendor Address Matching Employee Address
Red Flags in Procurement
Purchases That Bypass Normal Procedures
Charges Without Shipping Documents
Vendor Payments Picked Up Rather Than Having It Mailed
High Volume Of Purchases From New Vendors
Profiles of an Government At Risk
Less Than 100 Employees.
Management Ignores Irregularities.
High Turnover With Low Morale.
Staff Lacks Training
Session 6
Where Is The
Independent Auditor?
The Independent Auditor
Once The Independent Auditor Is
Finished With The Annual Audit, Can
Everyone Relax And Assume That “No
One Got Us This Year?”
Of Discovered Fraud, the Independent
Auditor Only Finds about 9%
Why Do Auditors Fail
To Detect Fraud?
Lack of Training
Accept any Reasonable Explanations
Going Through the Process of Ticking
and Tying Numbers
They May Not Want to Find Fraud, It
Causes Problems
They May Be Embarrassed
Not Enough Time Budgeted for the
Audit
Types of Audits
Financial Audits
Performance Audits
The Independent Auditor
The Auditor Reports On The Adequacy
Of Existing Controls Within The
Government
The Auditor Must Carefully Evaluate
The Internal Control System As A Basis
To Determine The Degree Of Audit
Procedures Necessary In The
Circumstances
New Statements on Auditing
Standards
A Few Years Ago, The Rules For
Auditors Were Changed And Expanded
Substantially
What Created The Need?
●
Corporate Fraud In The “Roaring 90’s” Which
Became Known In The Early 2000’s
●
Sarbanes Oxley Act Of 2002 (Private Sector)
●
●
●
Required Additional Internal Controls By Management
Created A New Agency (PCAOB) To Closely Scrutinize
Public Company Audits
Removed The AICPA From Any Authority For Public
Company Audit Standards And Peer Review
A New Audit Approach
●
A Risk Based Audit
●
The Government Must Identify Key Internal Controls
That Relate To High Risk Areas
●
Some of the Areas Might Include:
●
●
●
●
●
●
●
●
●
Cash
Investments
Budget
Revenue Receipts
Expenditures
Payroll
Consumable Inventories
Capital Assets
Grants
Do the Auditors Look At
Everything?
●
Auditors Obtain Reasonable Assurance, Not Absolute
Assurance
●
Materiality
●
The Single Audit
●
●
The Auditor May Report on Compliance and Internal Controls
Major Federal Awards
Internal Audit Function
●
Management Can Improve The Quality Of The
Environment By Establishing An Internal
Audit Function
●
Report Directly To Top Management (Or The
Elected Officials?)
●
Monitoring The Effectiveness Of Control
Related Policies And Procedures
Internal Audit Function
Internal Auditors Can Be Of Great Value To
State And Local Governments In A Variety
Of Ways.
In Particular, They Commonly Assist
Management In Monitoring The Design
And Proper Functioning Of Internal Control
Policies And Procedures.
Internal Audit Function
In This Capacity, Internal Auditors Themselves
Function As An Additional Level Of Control And So
Help To Improve The Government’s Overall
Control Environment.
Internal Auditors Also Can Play A Valuable Role
Conducting Performance Audits, As Well As
Special Investigations And Studies
Internal Audit Considerations
Don’t Let The Audit Function Become A Political
Football
Don’t Promise The Moon
Don’t Let The Auditors Become Free Roaming
Chickens.
Don’t Fly By The Seats Of Your Pants
Internal Audit Considerations
Don’t Use The Shotgun Approach To Scoping An
Audit
Never Leave A White Elephant In The Auditee’s
Office.
Don’t Count Your Chickens Before They Hatch.
Never Assume The Auditee Fixed The Problem.
GFOA Recommendations
Every Government Should Consider The
Feasibility Of Establishing A Formal Internal Audit
Function Because Such A Function Can Play An
Important Role In Helping Management To
Maintain A Comprehensive Framework Of Internal
Controls.
As A Rule, A Formal Internal Audit Function Is
Particularly Valuable For Those Activities
Involving A High Degree Of Risk (E.G., Complex
Accounting Systems, Contracts With Outside
Parties, A Rapidly Changing Environment).
GFOA Recommendations
If It Is Not Feasible To Establish A Separate
Internal Audit Function, A Government Is
Encouraged To Consider Either
1) Assigning Internal Audit Responsibilities To Its
Regular Employees Or
2) Obtaining The Services Of An Accounting Firm
(Other Than The Independent Auditor) For This
Purpose
GFOA Recommendations
The Internal Audit Function Should Be Established
Formally By Charter, Enabling Resolution, Or
Other Appropriate Legal Means;
It Is Recommended That Internal Auditors Of
State And Local Governments Conduct Their Work
In Accordance With The Professional Standards
Relevant To Internal Auditing Contained In The
U.S. General Accounting Office’s Publication
Government Auditing Standards, Including Those
Applicable To The Independence Of Internal
Auditors;
GFOA Recommendations
At A Minimum, The Head Of The Internal Audit
Function Should Possess A College Degree And
Appropriate Relevant Experience.
It Also Is Highly Desirable That The Head Of The
Internal Audit Function Hold Some Appropriate Form
Of Professional Certification (E.G., Certified Internal
Auditor, Certified Public Accountant, Certified
Information Systems Auditor); And
All Reports Of Internal Auditors, As Well As The
Annual Internal Audit Work Plan, Should Be Made
Available To The Government’s Audit Committee Or Its
Equivalent.
Goals Of Audit Committee
Ensure That Management Is Maintaining A
Comprehensive Framework Of Internal
Control
Ensure That Management’s Financialreporting Practices Are Assessed Objectively
Determine That The Financial Statements Are
Properly Audited And That Any Problems
Disclosed In The Course Of The Audit Are
Satisfactorily Resolved
Key Benefits
Practical Tool For Focusing Board
Attention
Direct Communications Link Between The
Independent Auditors And The Governing
Body
Forum In Which The Independent Auditors
Can Candidly Discuss Audit-related
Matters With Members Of The Governing
Board Apart From Management
Applicability to Small
Governments
Smaller Governments Have The Same
Basic Responsibility As Larger
Governments
An Audit Committee Is Just As Necessary
For Both
Level Of Expertise Needed Of
Members
Sufficient Understanding To Perform Duties
With Expert Assistance (I.E., Financial Expert)
New Or Prospective Members Typically Should
Receive Some Brief Formal Training
Role Of The Audit Committee
Their Personal Responsibility As Audit
Committee Members
Training Should Underscore Professional
Skepticism In Dealing With Management
Relationship With
Independent Auditors
Auditors Report Directly To Audit
Committee
Provision To Meet Privately
Amend “Sunshine” And “Open Meetings” Laws
Accordingly
Relationship With
Independent Auditors
Two Views
Traditional
Internal Auditors/Management As Audit Committee/Governing
Body
Emerging
Completely Independent Of Management
Trade-off
Management Involvement And Cooperation V.
Independence
Basic Tasks
Determining The Scope Of The Audit
Determining The Scope Of “Nonaudit”
Services
Managing The Audit Procurement Process
Selecting The Independent Auditors
Reviewing The Financial Statements
Basic Tasks
Reviewing The Auditor’s Report
Reviewing The Comprehensive Framework
Of Internal Control
Assessing The Performance Of The
Independent Auditors
Providing An Independent Forum For
Findings Of Fraud, Abuse, Or Control
Override
Session 7
The Internal Control
Environment
The Control Environment
Sets The Tone For The Government
Influences Control Consciousness
Foundation For All Other Control
Components
Includes: Integrity, Ethical Values,
Competency, Management’s Philosophy,
And The Way Authority And Responsibility
Is Assigned
The Control Environment
Corporate Culture (Enron) (A 60 Page
Code of Ethics)
Does Management Believe That Internal
Controls Are Important To Achieving Its
Goals And Objectives?
Does Management View Internal Controls
As An Obstacle To Achieving Its Goals And
Objectives?
The Control Environment
“Who Knew Who They Were? There Was No Place
For Me To Voice My Concerns, Either To The
Internal Audit Function Or The Audit Committee.
Remember, I Was Not In The Accounting
Department. But Even If I Were, I Think I Would
Have Known It Would Have Been Fruitless,
Because I Would Have Had Access To Junior
Auditors Who Were Simply Not In The Position To
Raise The Flags That Would Have Hurt Their
Senior Auditors And Account Executives.”
Sherron Watkins
Enron Corporation
The Control Environment
The “Way We Do Things Around
Here”
Sets The Tone Of The Government,
Influencing The Control
Consciousness Of Its Staff
Management’s Attitude
What Is The Tone At The Top?
- Management
- Elected Officials
Will Management Allocate Resources To Internal
Controls?
Are There High Ethical And Professional
Standards?
Does Management Cut Corners?
The Typical Environment in
Which Fraud Occurs
Trust Is Placed In Employees
Employees Have Detailed Knowledge Of The
Accounting Systems And Their Weaknesses
Management Domination Subverts Normal
Internal Controls
The Typical Environment in
which Fraud Occurs
Management Adds Pressure To “Make The
Numbers”
Expected Moral Behavior Is Not Communicated To
Employees
Unduly Liberal Accounting Practices
The Typical Environment in
which Fraud Occurs
Ineffective Or Nonexistent Internal Auditing Staff.
Lack Of Effective Internal Controls.
Poor Accounting Records.
Related Party Transactions.
Incomplete And Out Of Date Procedural Documentation.
Management Sets A Bad Example.
Practical Application - Control
Environment
Establish Current Policies With Regard To
Ethical Behavior (Code Of Conduct),
Conflict Of Interest, Nepotism
Enforce Appropriate Discipline For Failure
To Comply With These Policies
Ensure Personal Adherence To Strong
Moral Code
Reward Competency
Practical Application - Control
Environment
Place High Degree Of Importance On
Maintaining Strong Internal Control
Provide For A “Whistle Blower” Policy That
Allows Employees And Others To Report
Fraud Or False Statements By The
Management Team
Impact of the Control
Environment
Don’t Underestimate The Importance Of
This Part Of The Control System.
All The Great Control Activities In The
World Will Not Be Effective If Employees
Know That Management Is Not Concerned
With Strong Internal Control, Lacks
Integrity Or Does Not Value Their
Employees
Control Environment Pitfalls
Ignoring The Tone That Management Sets
Or Thinking That The Control Environment
Is Not Important.
Inconsistency In Treatment Of Lapses In
Ethical Conduct.
Allowing Employees To Feel Devalued.
Maintaining A Qualified Staff
Competent And Honest Staff
Up To Date Job Descriptions
Follow Appropriate Hiring Policies (E.G., Not Hiring A
Relative Or A Buddy)
Assign Authority And Responsibility
Ensure That Employees Are Trained
Review And Document Performance
Set Appropriate Performance Goals For Promotion
Session 8
Risk Assessment
What Is Risk Monitoring
And Assessment?
The Government’s Identification And
Analysis Of Relevant Risks To
Achieve It Objectives, Forming A
Basis On How They Should Manage
The Risks
Risk Assessment
Risks Result From Both External And
Internal Sources
These Change Over Time Based On
Economic, Regulatory, And Operating
Conditions
Risk Assessment Must Link Identified
Policy Objectives To Specific Risk Factors
Risk Assessment
Example: A Policy Of Receiving The
Highest Rate Of Return On Investments
Must Be Linked To Interest Rate Risk
Example: A Policy Of Allowing Payment
From Vendor Statements Rather Than
Original Invoices Only Must Be Linked To
The Risk Of Duplicate Payments
Risk Assessment
Example: A Policy Of Decentralized Cash
Receipts Must Be Linked To The Risk Of
Untimely Deposit And Recording To The
General Ledger.
Risk Assessment
Risk Assessment Must Also Link
Identified Control Objectives To
Specific Risk Factors
All
Transactions Are Properly Authorized
Transactions Are Recorded In The
Correct Period For The Correct Amount
All Revenues Are Received And
Recorded Timely
Assets Are Not Stolen Or Lost
Risk Assessment
Risk Factors Are Created By:
The
Nature Of Particular Accounts Or
Transactions
Turnover In Key Employee Positions
Changes In The Financial Markets
The Expertise Of The Personnel Handling
Transactions
Ineffective Or Poorly Designed Control
Activities
Practical Application - Risk
Assessment
Be Realistic About The True Risk With
Regard To A Particular Account Or Cycle Of
Transactions
Consider All Types Of Applicable Risk:
Inherent, Control Risk, Fraud Risk, Credit
Risk, Etc
Make Sure To Address IT Risk
Identify “What Could Go Wrong?”
Risk Detection
It Is Like A Physician
It Is Like An Attorney
Prevention And Quick Corrective
Action
Inherent Risk
It Is Life!
Inherent Risk
Complexity
Cash Receipts
Direct Third Party Beneficiaries
Degree Of Centralization
Prior Problems
Prior Unresponsiveness To Identify Control
Weaknesses
Effect Of Change On Risk
Management
Changes In The Environment
Changes In Personnel
Changes In Technology
Rapid Growth
New Programs And Services
Changes In Structure
What Could Go Wrong?
Example: Cash Disbursements
Payments Could Be Made To Fictitious
Vendors
Disbursements Could Be Made For The
Wrong Amount
Duplicate Payments Could Be Made On An
Invoice
Disbursements Could Be Recorded In The
Wrong Period
What Could Go Wrong?
Example: Investments
Excessive Transaction Fees Could Be
Charged To The Government.
Investments Held By The Government
Could Be Stolen (Certificates Of Deposit).
Investments Outside The Government’s
Risk Tolerance Could Be Purchased And
Result In Loss Of Principal.
What Could Go Wrong?
Example: Cash Receipts
Funds Received Could Be Credited To The
Wrong Customer Account
Cash Could Be Stolen By An Employee
Amounts Received Could Be Recorded Net
Rather Than Gross
Amounts Receivable May Never Be
Collected Due To Failure To Follow On Past
Due Amounts
Risk Matrix – Cash Receipts
Objective
All collections are properly identified,
control totals developed, and collections
promptly deposited intact.
Risk Factors
Impact Probability
Ranking
Ranking
Failure to record cash receipts,
withholding or delaying the recording of
cash receipts.
5
4
5
3
4
3
3
4
All bank accounts and cash on hand are
Misappropriated cash or petty cash funds,
subject to effective custodial accountability diverted cash receipts, unauthorized cash
procedures and physical safeguards.
disbursements, loss of funds.
All transactions are properly accumulated, Misstating cash balances, covering
correctly classified and summarized in the unauthorized transactions by falsifying
general ledger; balances are properly and bank reconciliation.
timely reconciled with bank statement
balances.
All transactions are promptly and
accurately recorded in adequate detail
records and appropriate reports are
issued.
Covering unauthorized transactions by
substituting unsupported credits or
fictitious expenditures to cover
misappropriated collections, under or
overestimating cash or receivables.
Practical Application - Risk
Assessments
Risk Assessments Can Be Documented Via
Narrative, Checklist Or Matrix
Tools Available Include:
COSO Documents Available Via AICPA
PPC Checklists Or Other Auditor Utilized
Templates
Local Government Websites (Perform Google
Search For “Government Internal Control”)
Practical Application - Risk
Assessments
Remember That Use Of A Third Party Does
Not Eliminate Management’s
Responsibility For Assessing Risks.
Structure Of Agreement Is Important
Obtain SAS 70
Reconcile Reports To General Ledger (As
Applicable)
Practical Application - Risk
Assessments
Remember That IT Controls Can Affect Risk For
All Cycles Of Transactions. Well Designed
Internal Controls Can Be Made Ineffective By
Poor Controls Over IT.
System Log-in Should Mirror Job
Responsibilities
Passwords
Remove Temporary Access Granted Once No
Longer Appropriate
Risk Assessment Pitfalls
Trying To Identify A Control For Every Risk
Factor.
Ignoring The Possibility Of Existing
Compensating Controls.
Not Performing A Risk Assessment
Annually Or At Least When Key Factors
Have Changed (Regulatory, Employee
Turnover, Etc.)
Ignoring It Controls.
Session 9
Control Activities
Control Activities
The Policies And Procedures That Ensure
Management’s Directives Are Followed
These Occur At All Levels Throughout The
Organization
Include : Approvals, Authorizations,
Verifications, Reconciliations, Security Of
Assets, Segregation Of Duties And Review
Of Operating Performance
Practical Application - Control
Activities
Address Control Objectives: Existence Or
Occurrence, Completeness, Valuation Or
Allocation, Rights And Obligations, Accuracy Or
Classification, Cutoff And Presentation And
Disclosure
Tie Control Activities To Risks Previously
Identified And Address “What Could Go Wrong”
Scenarios
Balance Cost And Benefit
Practical Application - Control
Activities
Identify Control Objectives And The Risks Of
What Could Happen
For Each Risk Factor Identified, Evaluate The
Potential Impact And Probability Of Occurrence
Design Control Activities To Address High Impact,
High Probability Concerns
Evaluate Annually
Risk Matrix
Cash Receipt Example
Objective
All collections are properly identified,
control totals developed, and collections
promptly deposited intact.
Risk Factors
Impact Probability
Ranking Ranking
Failure to record cash receipts,
withholding or delaying the recording of
cash receipts.
5
4
All bank accounts and cash on hand are Misappropriated cash or petty cash funds,
subject to effective custodial accountability diverted cash receipts, unauthorized cash
procedures and physical safeguards.
disbursements, loss of funds.
5
All transactions are properly accumulated, Misstating cash balances, covering
correctly classified and summarized in the unauthorized transactions by falsifying
general ledger; balances are properly and bank reconciliation.
timely reconciled with bank statement
balances.
All transactions are promptly and
accurately recorded in adequate detail
records and appropriate reports are
issued.
3
Control Procedure
Cash receipts are posted daily to the accounts
receivable. The cash receipts are reconciled to daily
bank deposits. Bank reconciliations are performed
timely to reconcile all bank deposits.
Bank reconciliations are performed timely to reconcile
all bank deposits and disbursements to the general
ledger. Petty cash funds and cash receipts deposits
are securely maintained in a safety bag, lockbox, or
safe depending on their location. Bank deposits are
delivered to the bank daily in secure bank bags.
Bank reconciliations are reviewed by management
independent of the individual that prepares them.
4
3
Covering unauthorized transactions by
substituting unsupported credits or
fictitious expenditures to cover
misappropriated collections, under or
overestimating cash or receivables.
Cash receipts are posted daily to the accounts
receivable. The cash receipts are reconciled to daily
bank deposits. Bank reconciliations are performed
timely to reconcile all bank deposits.
3
4
Risk Matrix
Cash Disbursements Example
Objective
Risk Factors
All checks are prepared on the basis of
adequate and approved documentation,
compared with supporting data and
properly approved, signed and mailed.
Incorrect or duplicate payments, alteration
of checks, disbursement for materials or
services not properly documented or
approved.
All requests for goods and services are
initiated and approved by authorized
individuals, and are in accordance with
budget and appropriation guidelines.
Purchases from unauthorized vendors,
purchases in violation of a conflict of
interest policy, purchases that
demonstrate unfair bidding practices,
purchases are not made timely,
purchases not in accordance with budget
provisions.
Impact Probability
Ranking Ranking
5
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the Finance Manager before being
processed for printing and sent out.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed
for appropriateness by the Accounts Payable Clerk
when matched with incoming invoices. Purchase
orders are entered to the appropriate
expenditure/expense accounts and City budget officer
reviews for budget restrictions on purchase orders.
5
All invoices processed for payment
represent goods and services received
and are accurate as to terms, quantities,
prices and extensions; account
distributions are accurate and agree with
established account classifications.
5
Control Procedure
4
Payment based on improper price or
terms, accounting distribution of cost is
inaccurate.
The City only processes payment from invoices and
costs are allocated based on the expenditure
accounts on the initiating purchase order.
5
3
Practical Application - Control
Activities
It Is Not Necessary To Address Every Risk
Factor With A Specific Control Activity –
Focus On Key Areas
Utilize Compensating Controls Where
“Textbook Approach” Is Not Practical
Evaluate The Benefit Of Existing
Monitoring Controls
Risk Matrix
Cash Disbursements Example
Control Procedure
Compensating Control
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the Finance Manager before being
processed for printing and sent out.
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the City Clerk (City Manager) before
being processed for printing and sent out.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed
for appropriateness by the Accounts Payable Clerk
when matched with incoming invoices. Purchase
orders are entered to the appropriate
expenditure/expense accounts and City budget officer
reviews for budget restrictions on purchase orders.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed for
appropriateness by the Accounts Payable Clerk when
matched with incoming invoices. Purchase orders are
entered to the appropriate expenditure/expense accounts
and City Clerk reviews for budget restrictions on purchase
orders.
Key Control Activities
Address Unusual Transactions Or Variance
From Expected Benchmarks In Timely
Fashion
Reconcile Accounts Per General Ledger To
Subsidiary Ledgers Or Statements From
Trustee/Custodian (As Applicable)
Separate Initiation And Authorization
From Recording Of Transactions
Key Control Activities
Provide For Oversight By Interested
Party Such As Investment Committee
(Include Trustee Activities) , Audit
Committee Or Citizens’ Group
Utilize Disclosure Checklist To Ensure
Presentation And Disclosure
Requirements Are Met
Control Activities Pitfalls
Remember That For Small Governments Key
Objectives Must Be Identified
Reducing The Risk Of Theft Or Fraud
Providing For Accountability
Ensuring Compliance With Regulations
Focus On True Effectiveness – Not Just Cookie
Cutter Approaches
Ensure Benefit Justifies The Cost
Session 10
Information and
Communications
Information and
Communication
Includes Both Internal And External Interaction
Requires Pertinent Information To Be Identified,
Captured And Communicated In A Form And
Timeframe For Employees To Carry Out Their
Responsibilities
Reports Must Contain Relevant Operational,
Financial And Compliance Information
Practical Application - Information
and Communication
System Generated Reports Must Include
Relevant Information
Statements From Outside Third Parties
(Broker/Dealers, Bank Statements,
Grantor Agency) Must Be Channeled To
Correct Personnel And Provided Timely
Information And Communication
Example: Investments
Communication With Investment Committee Or
Other Oversight Body Should Include:
Types Of Investments Held
Average Rate Of Return For Period And YTD
Compared With Benchmarks
Average Maturity Of Portfolio
Compliance With Investment Policy Provisions
Information and Communication
Example: Investments
Communication With Investment Committee Or
Other Oversight Body Should Also Include:
Changes In Investment Strategy (If Any)
Interest Rate Environment Changes
Discussion Of Any Unusual Transaction Or
Particularly Risky Investment
Information and Communication
Example: Cash Disbursements
Communication With Departments
Budget To Actual Report By Budgeted Line
Request To Explain Certain Variances
Detail Of Capital Assets Added To Subledger
Communication With Council
Budget To Actual Comparison By Department
Explanations For Variances Over A Certain
Threshold
Information and Communication
Example: Cash Receipts
Daily Cash Reports Should Show Revenue By
Major Categories Such That Reconciliation To
The General Ledger Is Facilitated.
The Date Of Receipt And Date Of Deposit Should
Be Included Along With The General Ledger
And Bank Account Information.
Information And
Communication Pitfalls
Generating Reports That Provide
Inaccurate, Untimely Or Unnecessary
Information
Providing Inappropriate Information
Outside The Organization (SS #, Employee
Evaluations)
Failure To Verify Accuracy Of Externally
Provided Reports
Session 11
Monitoring
Monitoring
Assessing The Quality Of The Internal
Control System And Making
Modifications As Needed
This Process Is Ongoing Through The
Normal Course Of Operations And At
Separate Specific Evaluations Of A
Particular Process
Monitoring
COSO Framework
States That
“Monitoring Ensures
That Internal Control
Continues To
Operate Effectively.”
The COSO
Framework
Recognizes That
Risks Change Over
Time And That
Management Needs
To “Determine
Whether The
Internal Control
System Continues To
Be Relevant And
Able To Address New
Risks.”
Monitoring
The Original COSO Report On
Internal Controls Was Issued In
1992.
In 2009, COSO Issued “Guidance On
Monitoring Internal Control Systems”
Emphasized Importance Of
Monitoring Controls As Part Of Even
Small Government Environments.
Monitoring
Monitoring Is Both An On-going
Process And Can Be Annual In Nature
(Testing Of Key Controls)
Process Can Be Done Annually By The
Internal Audit Department (As
Applicable) Or As An Internal Review
By Finance Personnel.
Practical Application –
Examples of Monitoring
Cash Receipts
Performing
A Review Of Bank
Reconciliations On A Monthly Basis And
Signing Off As Having Reviewed These.
Monthly Comparison Of Actual Receipts
To Budgeted Receipts And Investigation
Of Significant Discrepancies.
Annually Selecting A Few Transactions
To Ensure Proper Recording.
Practical Application –
Examples Of Monitoring
Cash Disbursements
Performing
A Review Of Bank
Reconciliations On A Monthly Basis And
Signing Off As Having Reviewed These.
Monthly
Comparison Of Cash
Disbursements To Budgeted
Expenditures/Expenses And
Investigation Of Significant
Discrepancies.
Practical Application –
Examples Of Monitoring
Cash Disbursements
Reconciliation
Of P-card Purchases By
Someone Other Than The Card Holder
Annual
Test Of A Selection Of
Transactions For Proper Recording.
Practical Application –
Examples of Monitoring
Investments
Performing Investment Portfolio Review
(Including Evaluation Of Concentration And
Type Of Investments) Quarterly By Person
Independent Of Investment Portfolio
Management
Disclosure Of Conflict Of Interest Statement
Annually By Portfolio Manager
Obtaining A SAS 70 Report From Custodian
Annually
Practical Application Monitoring
Controls Will Change As The Makeup Of An
Account Changes
Controls Should Be Evaluated When There
Are Changes In Key Personnel Or Software
Applications
Be Responsive To Information Requests Of
Key Management Personnel
Review Polices And Procedures Annually
Monitoring Pitfalls
Failure To Perform Any Monitoring Control
Activities.
Overkill For The Organizations Size. One Or Two
Key Data Cycles Or Areas Can Be Selected Each
Year For Testing Of Controls.
No Attempt To Actually Test Key Controls In Some
Fashion.
Failure To Evaluate Controls When Personnel Or
Software Changes.
Session 12
Evaluation Controls Over Accounting
And Financial Reporting
Know Where To Start
Identify Control Cycles
Basic Control Cycles
- Obtaining Resources
- Applying Resources
Identify Control Cycles
It Is Easy For Management To Be Daunted By The
Sheer Volume And Complexity Of Controls Over
Accounting And Financial Reporting.
Accordingly, The First Step In Evaluating These
Controls Is To Know Where To Start.
The Best Place To Begin Is By "Breaking Down"
What A Government Does Into Manageable
Groupings Of Similar Or Related Activities,
Commonly Known As "Control Cycles."
Obtaining Resources
The Resources Inflows Control Cycle
- Obtaining Legal Claim (Levy The Tax,
Provide The Service)
- Demanding Payment (From Taxpayers,
Customers And Grantors)
- Converting To Cash (Collect)
Applying Resources
The Resources Outflows Control
Cycle
Applying Resources (Issue Purchase
Orders, Approve Contracts, Hire
Employees, Award Grants)
Applying Resources
The Resources Outflows Control
Cycle
- Ensuring Conditions Met (Receipt
Of Goods Or Services, Compliance
With Grant Requirements)
- Making Cash Payments
Applying Resources
The Resources Outflows Control
Cycle
- Making Cash Payments
Interim Management
Governments Are Not Able To Apply
Immediately All Of The Resources They
Obtain.
Rather, There Will Be A Greater Or Lesser
Interval Between When Resources Are
First Obtained And When Those Resources
Are Finally Converted Into Goods And
Services
During This Interval, A Government Must
Carefully Manage The Resources Entrusted
To Its Care.
Interim Management
First, Liquid Resources (E.G., Cash) Must Be
Properly Protected And Used To Best Advantage
Until Needed (I.E., Invested Or Placed On
Deposit).
Second, Non Liquid Assets Used In The Provision
Of Services (E.G., Equipment, Inventories Of
Supplies) Must Be Properly Protected And
Maintained.
When Both Of These Processes Are Combined
Together, The Result Is A Third Control Cycle For
"Resource Management."
Seven Important Steps
Vulnerability Assessment
Documenting Transactions
Identifying Specific Risks
Identifying Compensating Controls
Seven Important Steps
Evaluating The Design Of
Comensating Controls
Testing Compensating Controls
Assessing The Results Of Testing
Session 13
Control Cycles
A Final Review
Cash Controls
Collection Controls
Disbursement Controls
Custody Controls
Accounting Controls
Reconciliation Controls
Investments Controls
Segregation of Duties
Procedural Controls
Custody Controls
Accounting Controls
Capital Asset Controls
Segregation of Duties
Procedural Controls
Authorization Controls
Asset Accountability Controls
General Ledger Controls
Inventory Controls
Segregation of Duties
Authorization Controls
Receipt/Issues Controls
Physical Inventory Controls
Procurement Controls
Segregation of Duties
Procedural Controls
Requisition Controls
Procurement Controls
Receiving Controls
Invoice Processing Controls
Personnel and Payroll Controls
Segregation of Duties
Procedural Controls
Personnel Controls
Payroll Processing Controls
IT Controls
Segregation of Duties
Procedural Controls
Documentation Controls
Data Controls
Security Controls
Inventory Controls
Session 14
Other Internal Control
Pitfalls
A Final Reminder About I/C
Pitfalls
Don’t Focus On Areas Where Risk Is Low
Don’t Ignore Risk Factors You Become Aware Of
Throughout The Year
Talk To Your Auditors About Areas Of Concern
They May Have And New Auditing Standards That
Will Affect Your Audit.
Make Sure To Tailor Any “Borrowed” P&P To Your
Organization.
A Final Reminder About I/C
Pitfalls
Remember That The Cost Of
Implementing The Control Structure
Should Not Outweigh The Benefit.
Remember To Address Budget, Grant
And It Controls.
Summary
The Control Environment Establishes
The Importance Of Internal Control.
Risk Assessments Must Be Realistic
And Performed When Changes To
Objectives Or Policies Occur, There Is
Turn Over In Key Employees Or
Significant Changes In The Financial
Markets.
Summary
Control Activities Should Be Focused On
Areas Of Highest Risk. Monitoring
Controls Are Effective Stopgap For Smaller
Entities.
Information And Communication Must
Provide Relevant Information For
Managing The Assets And Liabilities Of The
Entity.
Monitoring Of The Internal Control System
Is An Ongoing Process.
Session 15
Red Flags and Fraud
How to Catch a Fraudster
Independent Auditor
Internal Audit
Getting Ratted Out
Oops Method
How to Catch a Fraudster
Rotate those Job Duties
The Spot Check
And, the Surprise Attack
Eliminate Fraudster Potential
Background Check
Criminal
Credit
References
Verify the Social
Eliminate Fraudster Potential
Background Check
Driving Record
The Education
Professional Credentials
Drug Testing
Tips – Employee Changes
Attendance
Tardiness
Avoiding Others
Bathroom Breaks
Tips – Employee Changes
Listen
Look
Smell
Observe
Ask
Top Ten Reasons
Fraud Beats Internal
Controls
And What Management Can Do About
It?
“Fighting the Last War”
Accountants Too Often Allow
Themselves To Focus Almost
Exclusively On Past Weaknesses
Rather Than On Current And Future
Exposures (Like Putting Up Traffic
Signals Only After An Accident
Occurs)
Establish A System Of Proactive Fraud
Policies – Don’t Wait For Something To Pop
Up!
Use Of The Analytical Review
Watch For Increasing Expenses,
Increasing Receivables/Decreasing Cash,
Increasing Revenue/Decreasing Cash
Use Fraud Assessment Questions With
Each Employee
Establish A System Of Proactive Fraud
Policies – Don’t Wait For Something To Pop
Up!
Enforce A Mandatory Vacation Policy With
A Senior Person Filling The Position For
Several Days
Enforce A Mandatory Job Rotation Policy
Periodically, Stage A Surprise Audit Of
Each Position
Detection of Fraud Schemes
Tip (46.2%)
By Accident (20%)
Internal Audit (19.4%)
Internal Controls (23.3%)
External Audit (9.1%)
Notified by Police (3.2%)
Control Related Policies
Authorization
Properly Designed Records
Security Of Assets And Records
Segregation Of Duties
Periodic Reconciliations
Periodic Verifications
Analytical Review
1. Goin’ Through the Motions
Process Mentality
Just Doing The Steps In The Process
Not Thinking About What One Is Doing
Example: Two Signatures Required On Checks.
Both Check Signers Fail To Notice The Check Has
No Payee And Still Sign The Check
Remedy: Reinforce The Need To Pay Attention
And The Consequences For Failure
2. See No Evil, Hear No Evil
Blind Trust
Failure To Acknowledge Warning Signals
Example: Failure To Follow Up On A Customer
Complaint Of An Incorrect Bill For Service And
Relying On The Experienced And Valued Billing
Clerk’s Response That It Was Just An Error.
Remedy: Realize That Anyone Can Commit Fraud.
Assume Discrepancies Are Fraud And Prove To
Yourself It Is Only An Error.
3. It’s Good to be The King
Positional Immunity
Rationalizing That Controls Don’t Apply To Me
Because I Am In Upper Management.
Often Referred To As Management Override.
Example: Executive Director Doesn’t Report Leave
Used, But Still Gets Paid For Unused Leave
Annually.
Remedy: Identify Someone Within Or Outside The
Entity That You Can Report These Circumstances
To And Not Jeopardize Your Job.
4. New Kid on the Block
Situational Incompetence
New Employee Not In A Position To Question Why
Example: New Accounts Payable Clerk Questions
Why Purchases From A Certain Vendor Do Not
Require Bids, And Is Told That Such Purchases
Are Exempt.
Remedy: If You Are The Supervisor, Don’t Assume
New Employee Just Doesn’t Understand. Take
Their Questions Seriously And Ask Your Self Why.
If You Are The Employee, Ask More Than One
Person.
5. Where’s All the Time Gone?
Workload Overload
Not Enough Time To Perform Control Procedures
Example: Knowing That The Supervisor Is Too
Busy To Reconcile Accounts Receivable, A Billing
Clerk Steals Cash And Posts Unauthorized
Adjustments.
Remedy: Reevaluate Assignment Of Duties, And
When Needed, Demand More Resources By
Focusing On The Consequences Of Fraud.
6. Can’t We All Be Happy?
Conflict Avoidance
Responsible Employees Not Comfortable In
Confronting Other Employees
Example: A Supervisor Recognizes That The Cash
Drawer Is Always Short At The End Of The Day,
But Is Uncomfortable In Confronting The
Employee.
Remedy: Reinforce Supervisory Responsibilities.
Provide Employee Management Training. Don’t
Tolerate Poor Performance.
7. Where’s the Beef?
Informational Restraint
Responsible Employees Lack The Information
They Need To Identify An Improper Transaction
Example: An Accounts Payable Clerk Is Not
Provided A Contract That Includes A Not-toexceed Price Limit And Vendor Takes Advantage
By Over-billing.
Remedy: Reinforce With Employees The Openness
And Availability Of Records And Information.
8. It’s None of My Business
Behavioral Ignorance
Responsible Employees Ignore Behavioral Signs
Or Indicators Of Possible Fraud
Example: Management And Other Employees Fail
To Investigate Or Question An Employee That Is
Living Well Above Their Means Or Salary Level.
Remedy: Create An Environment Within The
Government That Fosters Ethical And Responsible
Behavior. Create An Anonymous hotline
9. It’s Over My Head
Informational Ignorance
Officials Ignore Fraud Warning Signs In Reports
Because They Don’t Understand The Reports
Example: Highway Patrol Fine Revenue Was
Embezzled And Monthly Budget Report Shows A
Potential Problem, But The Report Is Too
Complicated For Management And Governing
Board To Understand.
Remedy: When It Comes To Reports, Use The Kiss
Principle And Train The Users.
10. A Bad Apple in the Bunch
Ethically Challenged
Employees Responsible For Controls Are Just Not
Ethical And Morally Responsible Individuals
Example: Purchasing Supervisor Is Dishonest And
Convinces An Accounts Payable Employee To
Process Fake Invoices For Payment And Split The
Money Between Them.
Remedy: Don’t Hire Crooks.
To Summarize Internal Controls:
Provide A Favorable Control Environment
Provide For The Continuing Assessment Of Risk
Provide For The Design, Implementation And
Maintenance Of Effective Control Related Policies
And Procedures
Provide For The Effective Communication Of
Information (We Kind Of Skipped This Topic)
Provide For The Ongoing Monitoring Of The
Effectiveness Of Control Related Policies And
Procedures
We Are Finished
Please “Don’t Steal”
Contact Paul @
[email protected]